summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorclarkzjw <[email protected]>2023-02-08 00:40:09 -0800
committerclarkzjw <[email protected]>2023-02-08 00:40:09 -0800
commit1204730924436ef9e1c7c49c9557837f9a5ed0e8 (patch)
tree129d79dfd11245751cee6d4082ff5d2f6e941610 /ansible/roles/postfix/templates
parent9635ac4dedf69de5bff65785bcc16bef80b52d75 (diff)
downloadmail-1204730924436ef9e1c7c49c9557837f9a5ed0e8.tar.gz
fork https://github.com/mattsta/mailwebHEADmaster
Diffstat (limited to 'ansible/roles/postfix/templates')
-rw-r--r--ansible/roles/postfix/templates/postfix/main.cf.j2194
1 files changed, 194 insertions, 0 deletions
diff --git a/ansible/roles/postfix/templates/postfix/main.cf.j2 b/ansible/roles/postfix/templates/postfix/main.cf.j2
new file mode 100644
index 0000000..b3e8cc2
--- /dev/null
+++ b/ansible/roles/postfix/templates/postfix/main.cf.j2
@@ -0,0 +1,194 @@
1# Modified from https://www.c0ffee.net/blog/mail-server-guide
2
3smtpd_banner = $myhostname ESMTP dx Independence
4
5# "2" is current for postfix 3.2 configs
6compatibility_level = 2
7
8# disable "new mail" notifications for local unix users
9biff = no
10
11# directory to store mail for local unix users
12mail_spool_directory = /var/mail/local
13
14# Name of this mail server, used in the SMTP HELO for outgoing mail. Make
15# sure this resolves to the same IP as your reverse DNS hostname.
16myhostname = {{ network.hostname.public }}
17
18# Domains for which postfix will deliver local mail. Does not apply to
19# virtual domains, which are configured below. Make sure to specify the FQDN
20# of your sever, as well as localhost.
21# Note: NEVER specify any virtual domains here!!! Those come later.
22mydestination = localhost
23
24# Domain appended to mail sent locally from this machine - such as mail sent
25# via the `sendmail` command.
26myorigin = $myhostname
27
28# prevent spammers from searching for valid users
29disable_vrfy_command = yes
30
31# require properly formatted email addresses - prevents a lot of spam
32strict_rfc821_envelopes = yes
33
34# don't give any helpful info when a mailbox doesn't exist
35show_user_unknown_table_name = no
36
37# limit maximum e-mail size to 256 MB. mailbox size must be at least as big as
38# the message size for the mail to be accepted, but has no meaning after
39# that since we are using Dovecot for delivery.
40message_size_limit = 268435456
41mailbox_size_limit = 0
42
43# require addresses of the form "[email protected]"
44allow_percent_hack = no
45swap_bangpath = no
46
47# allow plus-aliasing: "[email protected]" delivers to "user" mailbox
48recipient_delimiter = +
49
50# path to the SSL certificate for the mail server
51smtpd_tls_cert_file = /etc/ssl/{{ network.hostname.public }}-cert-combined.rsa2048.pem
52smtpd_tls_key_file = /etc/ssl/private/{{ network.hostname.public }}-key.rsa2048.pem
53
54# You can also specify an EC cert to try first if the clients support it.
55smtpd_tls_eccert_file = /etc/ssl/{{ network.hostname.public }}-cert-combined.prime256v1.pem
56smtpd_tls_eckey_file = /etc/ssl/private/{{ network.hostname.public }}-key.prime256v1.pem
57
58# Path to your trusted certificates file. Usually provided by a
59# ca-certificates package or similar.
60smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt
61
62# These two lines define how postfix will connect to other mail servers.
63# "may" allows opportunistic TLS and "enabled" allows hostname lookups
64# http://www.postfix.org/TLS_README.html
65smtp_tls_security_level = may
66smtp_dns_support_level = enabled
67
68# IP address used by postfix to send outgoing mail. You only need this if
69# your machine has multiple IP addresses - set it to your MX address to
70# satisfy your SPF record.
71smtp_bind_address = {{ hostvars[inventory_hostname]['ansible_' + network.interface.public]['ipv4']['address'] }}
72smtp_bind_address6 =
73inet_interfaces = 127.0.0.1,$smtp_bind_address
74inet_protocols = ipv4
75
76# Here we define the options for "mandatory" TLS. In our setup, TLS is only
77# "mandatory" for authenticating users. I got these settings from Mozilla's
78# SSL reccomentations page.
79#
80# NOTE: do not attempt to make TLS mandatory for all incoming/outgoing
81# connections. Do not attempt to change the default cipherlist for non-
82# mandatory connections either. There are still a lot of mail servers out
83# there that do not use TLS, and many that do only support old ciphers.
84# Forcing TLS for everyone *will* cause you to lose mail.
85smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, TLSv1.2
86smtpd_tls_mandatory_ciphers = high
87tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
88
89# allow other mail servers to connect using TLS, but don't require it
90smtpd_tls_security_level = may
91
92# tickets and compression have known vulnerabilities
93tls_ssl_options = no_ticket, no_compression
94
95# yes, using 2048 with "dh1024" is the right thing to do
96smtpd_tls_dh1024_param_file = /etc/ssl/ffdhe2048.pem
97
98# cache incoming and outgoing TLS sessions
99smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tlscache
100smtp_tls_session_cache_database = btree:${data_directory}/smtp_tlscache
101
102# enable SMTPD auth. Dovecot will place an `auth` socket in postfix's
103# runtime directory that we will use for authentication.
104# TODO: can also replace this with a network inet connection if dovecot opens it
105smtpd_sasl_auth_enable = yes
106smtpd_sasl_path = private/auth
107smtpd_sasl_type = dovecot
108
109# only allow authentication over TLS
110smtpd_tls_auth_only = yes
111
112# don't allow plaintext auth methods on unencrypted connections
113smtpd_sasl_security_options = noanonymous, noplaintext
114# but plaintext auth is fine when using TLS
115smtpd_sasl_tls_security_options = noanonymous
116
117# add a message header when email was recieved over TLS
118smtpd_tls_received_header = yes
119
120# require that connecting mail servers identify themselves - this greatly
121# reduces spam
122smtpd_helo_required = yes
123
124# The following block specifies some security restrictions for incoming
125# mail. The gist of it is, authenticated users and connections from
126# localhost can do anything they want. Random people connecting over the
127# internet are treated with more suspicion: they must have a reverse DNS
128# entry and present a valid, FQDN HELO hostname. In addition, they can only
129# send mail to valid mailboxes on the server, and the sender's domain must
130# actually exist.
131smtpd_client_restrictions =
132 permit_mynetworks,
133 permit_sasl_authenticated,
134 #reject_unknown_reverse_client_hostname,
135 # you might want to consider:
136 # reject_unknown_client_hostname,
137 # here. This will reject all incoming connections without a reverse DNS
138 # entry that resolves back to the client's IP address. This is a very
139 # restrictive check and may reject legitimate mail.
140 reject_unauth_pipelining
141smtpd_helo_restrictions =
142 permit_mynetworks,
143 permit_sasl_authenticated,
144 reject_invalid_helo_hostname,
145 reject_non_fqdn_helo_hostname,
146 # you might want to consider:
147 # reject_unknown_helo_hostname,
148 # here. This will reject all incoming mail without a HELO hostname that
149 # properly resolves in DNS. This is a somewhat restrictive check and may
150 # reject legitimate mail.
151 reject_unauth_pipelining
152smtpd_sender_restrictions =
153 permit_mynetworks,
154 permit_sasl_authenticated,
155 reject_non_fqdn_sender,
156# reject_unknown_sender_domain,
157 reject_unauth_pipelining
158smtpd_relay_restrictions =
159 permit_mynetworks,
160 permit_sasl_authenticated,
161 # !!! THIS SETTING PREVENTS YOU FROM BEING AN OPEN RELAY !!!
162 reject_unauth_destination
163 # !!! DO NOT REMOVE IT UNDER ANY CIRCUMSTANCES !!!
164#smtpd_recipient_restrictions =
165# permit_mynetworks,
166# permit_sasl_authenticated,
167# reject_non_fqdn_recipient,
168# reject_unknown_recipient_domain,
169# reject_unauth_pipelining,
170smtpd_data_restrictions =
171 permit_mynetworks,
172 permit_sasl_authenticated,
173 reject_multi_recipient_bounce,
174 reject_unauth_pipelining
175
176smtpd_recipient_restrictions =
177 permit_mynetworks,
178 permit_sasl_authenticated,
179 reject_unauth_destination
180
181# deliver mail for virtual users to Dovecot's LMTP socket
182# TODO: convert this to network with dovecot opening a local inet port
183virtual_transport = lmtp:unix:private/dovecot-lmtp
184virtual_mailbox_domains = /etc/postfix/domains
185
186virtual_alias_maps = hash:/etc/postfix/virtual
187#virtual_alias_domains = /etc/postfix/domains
188
189# We'll uncomment these when we set up rspamd later:
190milter_protocol = 6
191milter_default_action = accept
192#smtpd_milters = unix:/var/run/rspamd/milter.sock
193smtpd_milters = inet:localhost:11332
194milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
Powered by cgit v1.2.3 (git 2.41.0)